#!/bin/bash


EXT_IF="eth0"
INT_IF="eth1"
IPT=/sbin/iptables
MODPROBE=/sbin/modprobe

debtor_web=94.136.136.22:8000

# KERNEL PARAMETER CONFIGURATION #######################################################################

# PREVENT YOU SYSTEM FROM ANSWERING ICMP ECHO REQUESTS
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# DROP ICMP ECHO-REQUEST MESSAGES SENT TO BROADCAST OR MULTICAST ADDRESSES
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# DONT ACCEPT ICMP REDIRECT MESSAGES
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# DONT SEND ICMP REDIRECT MESSAGES
#echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# DROP SOURCE ROUTED PACKETS
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# ENABLE TCP SYN COOKIE PROTECTION FROM SYN FLOODS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# ENABLE SOURCE ADDRESS SPOOFING PROTECTION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# LOG PACKETS WITH IMPOSSIBLE ADDRESSES (DUE TO WRONG ROUTES) ON YOUR NETWORK
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# DISABLE IPV4 FORWARDING
#echo 0 > /proc/sys/net/ipv4/ip_forward

# ENABLE IPV4 FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward

#Increasing the ARP cache size        
#echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
#echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

# High priority source ports, SSH DNS HTTP HTTPS VoIP
HIGHPRIOPORTSRC="22 53 80 8080 443 3478 5060 5061"

#FUNCTIONS #################################################################

function tc_init_hashes {
	#######################################################################
	# create 2 IP sets with ipset.. one for IPs, another for Subnets (:net)
	#######################################################################
	ipset create ban_subnet hash:net hashsize 4096
	ipset create ban_client hash:ip hashsize 4096
	ipset create ban_ping hash:ip hashsize 4096
	#ipset create ban_debtor hash:ip hashsize 4096     #people with debt

	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
}

function tc_ban_contract_violators {
	###################################
	# to ban TCP PORTS
	###################################
	if [ -s "contract_violators.set" ]; then
		for i in $( cat contract_violators.set );
		do
			#iptables -A INPUT -p udp -m udp --dport $i -j DROP;
			#iptables -A INPUT -p udp -m udp --dport $i -j LOG;
			$IPT -t nat -A PREROUTING -p tcp -s $i -j DNAT --to-destination ${contract_violator_web}
		done
	else
		touch contract_violators.set;
	fi
}

#########################################
# Redirect debtors                      #
#########################################
function tc_ban_debtors {
	local debtor_ip=$1
	local debtor_web=$2
	if [ -s "ban_debtor.set" ]; then
		for i in $( cat ban_debtor.set );
		do
			# ipt_ban_debtors 10.10.112.149 94.136.136.22:8000
			$IPT -t nat -A PREROUTING -p tcp -s $i -j DNAT --to-destination ${debtor_web}
		done
	else
		touch ban_debtor.set;
	fi
}	

	################
	# ban the fucker
	################
	#iptables -A INPUT -m set --match-set ban_client src -j DROP
	 #iptables -t nat -A PREROUTING -p tcp -s $ADDR -d ! ${INT_IP[0]} --dport 80 -j REDIRECT --to-ports 8000


	#iptables -A INPUT -m set --match-set ban_subnet src -j DROP
	#ban ping
	#iptables -A INPUT -m set --match-set ban_ping src -p icmp --icmp-type echo-request -j DROP

	# DROP PRIVATE network packets from public interface
	# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
	# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP






function ipt_load_modules {
	### load connection-tracking modules
	$MODPROBE ip_conntrack
	$MODPROBE iptable_nat
	$MODPROBE ip_conntrack_ftp
	$MODPROBE ip_nat_ftp
}

#FLUSH IPTABLES
function ipt_flush {
	$IPT -X
	$IPT -t nat -F
	$IPT -t nat -X
	$IPT -t mangle -F
	$IPT -t mangle -X
	$IPT -P INPUT ACCEPT
	$IPT -P FORWARD ACCEPT
	$IPT -P OUTPUT ACCEPT
}

function ipt_default {
	#default rules
	$IPT -P INPUT DROP
	$IPT -P FORWARD DROP
	$IPT -P OUTPUT DROP #change to ACCEPT if you trust your internal users
}

# SECURITY STUFF

#allow internal eth1 to talk to external eth0
function ipt_allow_internal_to_external {
	$IPT -A FORWARD -i $INT_IF -o $EXT_IF -j ACCEPT
}

############################################################
# ANTISPOOF                                                #
############################################################
function ipt_antispoof { 
	# Drop any traffic from IANA-reserved IPs.
	$IPT -A INPUT -s 0.0.0.0/7 -j DROP
	$IPT -A INPUT -s 2.0.0.0/8 -j DROP
	$IPT -A INPUT -s 5.0.0.0/8 -j DROP
	$IPT -A INPUT -s 7.0.0.0/8 -j DROP
	$IPT -A INPUT -s 10.0.0.0/8 -j DROP
	$IPT -A INPUT -s 23.0.0.0/8 -j DROP
	$IPT -A INPUT -s 27.0.0.0/8 -j DROP
	$IPT -A INPUT -s 31.0.0.0/8 -j DROP
	$IPT -A INPUT -s 36.0.0.0/7 -j DROP
	$IPT -A INPUT -s 39.0.0.0/8 -j DROP
	$IPT -A INPUT -s 42.0.0.0/8 -j DROP
	$IPT -A INPUT -s 49.0.0.0/8 -j DROP
	$IPT -A INPUT -s 50.0.0.0/8 -j DROP
	$IPT -A INPUT -s 77.0.0.0/8 -j DROP
	$IPT -A INPUT -s 78.0.0.0/7 -j DROP
	$IPT -A INPUT -s 92.0.0.0/6 -j DROP
	$IPT -A INPUT -s 96.0.0.0/4 -j DROP
	$IPT -A INPUT -s 112.0.0.0/5 -j DROP
	$IPT -A INPUT -s 120.0.0.0/8 -j DROP
	$IPT -A INPUT -s 169.254.0.0/16 -j DROP
	$IPT -A INPUT -s 172.16.0.0/12 -j DROP
	$IPT -A INPUT -s 173.0.0.0/8 -j DROP
	$IPT -A INPUT -s 174.0.0.0/7 -j DROP
	$IPT -A INPUT -s 176.0.0.0/5 -j DROP
	$IPT -A INPUT -s 184.0.0.0/6 -j DROP
	$IPT -A INPUT -s 192.0.2.0/24 -j DROP
	$IPT -A INPUT -s 197.0.0.0/8 -j DROP
	$IPT -A INPUT -s 198.18.0.0/15 -j DROP
	$IPT -A INPUT -s 223.0.0.0/8 -j DROP
	$IPT -A INPUT -s 224.0.0.0/3 -j DROP
}

#FIX
############################################################
# IPSEC/VPN traffic                                        #
############################################################
function ipt_allow_IPSEC_VPN {
	$IPT -t filter -A INPUT -i $EXT_IF --proto udp --destination ${PUBLIC_IP} --dport 500 --source  0.0.0.0/0 --sport 500 --jump ACCEPT
	$IPT -t filter -A INPUT -i $EXT_IF --proto udp --destination ${PUBLIC_IP} --dport 4500 --source  0.0.0.0/0 --sport 4500 --jump ACCEPT
	$IPT -t filter -A OUTPUT -o extif --proto udp --destination 0.0.0.0/0 --dport 500 --source ${PUBLIC_IP} --sport 500 --jump ACCEPT 
	$IPT -t filter -A OUTPUT --out-interface extif --proto udp --destination 0.0.0.0/0 --dport 4500 --source ${PUBLIC_IP} --sport 4500 --jump ACCEPT

#VPN talking to internal network
	$IPT -A FORWARD -i extif --source 10.0.2.0/24 -o wirif --destination 10.0.1.0/24 --jump ACCEPT
	$IPT -A FORWARD -i wirif --source 10.0.1.0/24 -o extif --destination 10.0.2.0/24 --jump ACCEPT

#So we need to add to these rules policy that will require the packets come from, and go to the VPN network through the IPsec tunnel.
	$IPT -A FORWARD --match policy --dir in --pol ipsec --mode tunnel --tunnel-dst ${PUBLIC_IP} --tunnel-src 0.0.0.0/0 -i extif --source 10.0.2.0/24 -o wirif --destination 10.0.1.0/24 --jump ACCEPT
 
	$IPT -A FORWARD --match policy --dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src ${PUBLIC_IP} -i wirif --source 10.0.1.0/24 -o extif --destination 10.0.2.0/24 --jump ACCEPT	

#VPN users should be able to use the DNS service too (they don’t need DHCP since they get their IPs from racoon)
	$IPT -A INPUT --match policy --pol ipsec --dir in --mode tunnel --tunnel-dst ${PUBLIC_IP} --tunnel-src 0.0.0.0/0 --protocol udp --in-interface extif --source 10.0.2.0/24 --source-port 1024:65535 --destination 10.0.1.1/24 --destination-port 53 --jump ACCEPT
 
	$IPT -A OUTPUT --match policy --pol ipsec --dir out --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src ${PUBLIC_IP} --protocol udp --source $10.0.1.1/24 --source-port 53 --out-interface extif --destination 10.0.2.0/24 --destination-port 1024:65535 --jump ACCEPT
}

############################################################
# SYN check for possible DDOS                              #
############################################################
function ipt_SYN_check {
	$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New connection not SYN, looks like DDOS attack!"
	$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
}

############################################################
# protection against SYN FLOOD                             #
############################################################
function ipt_SYN_flood_protection { #CHECK!!! Logging
	$IPT -N syn_flood
	$IPT -A INPUT -p tcp --syn -j syn_flood -j LOG --log-prefix "possible SYN FLOOD attack!"
	$IPT -A INPUT -p tcp --syn -j syn_flood
	$IPT -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
	$IPT -A syn_flood -j DROP
}

############################################################
# allow DNS traffic                                        #
############################################################
function ipt_allow_DNS {
	$IPT -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
	$IPT -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
}

############################################################
# allow LOOPBACK interface                                 #
############################################################
function ipt_allow_loopback {
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT
}

############################################################
# allow SMTP (sendmail,qmail.. etc)                        #
############################################################
function ipt_allow_SMTP {
	$IPT -A INPUT -i $EXT_IF -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o $EXT_IF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
}

############################################################
# allow IMAP                                               #
############################################################
function ipt_allow_IMAP {
	#The following rules allow IMAP/IMAP2 traffic.
	$IPT -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

	#The following rules allow IMAPS traffic.
	$IPT -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
}

############################################################
# block all NULL packets                                   #
############################################################
function ipt_drop_NULL {
	$IPT -A INPIT -p tcp --tcp-flags ALL NONE -j DROP
}

############################################################
# block all XMAS packets                                   #
############################################################
function ipt_drop_XMAS {
	#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
	$IPT -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP
}

############################################################
# block all INVALID packets                                #
############################################################
function ipt_drop_invalid {
	# Drop all invalid packets
	$IPT -A INPUT -m state --state INVALID -j DROP
	$IPT -A FORWARD -m state --state INVALID -j DROP
	$IPT -A OUTPUT -m state --state INVALID -j DROP
}

############################################################
# block SMURF attack                                       #
############################################################
function ipt_drop_smurf {
	# Stop smurf attacks
	$IPT -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
	$IPT -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
	$IPT -A INPUT -p icmp -m icmp -j DROP
}

############################################################
# drop excessive RST packets                               #
############################################################
function ipt_drop_RST {
	# Drop excessive RST packets to avoid smurf attacks
	$IPT -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
}

############################################################
# allow POP3 traffic                                       #
############################################################
function ipt_allow_POP3 {
	#The following rules allow POP3 traffic.
	$IPT -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

	#The following rules allow POP3S traffic.
	$IPT -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
}

############################################################
# block all portscans                                      #
############################################################
function ipt_block_portscan {
	# Attempt to block portscans
	# Anyone who tried to portscan us is locked out for an entire day.
	$IPT -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
	$IPT -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
}

############################################################
# prevent DDOS attack on port 80                           #
############################################################
function ipt_prevent_web_DDOS { #FIX
	#This limits only maximum of 60 connections per minute with limit 100per min after reaching limit
	$IPT -A INPUT -p tcp --dport 80 -m limit --limit 60/minute --limit-burst 100 -j ACCEPT

	$IPT -A INPUT -p tcp –dport 80 -m hashlimit –hashlimit 45/sec –hashlimit-burst 60 –hashlimit-mode srcip /
	–hashlimit-name DDOS –hashlimit-htable-size 32768 –hashlimit-htable-max 32768 –hashlimit-htable-gcinterval 1000 /
	–hashlimit-htable-expire 100000 -j ACCEPT
}

############################################################
# allow MySQL connection only from a specific network      #
############################################################
function ipt_allow_MySQL { #FIX
	$IPT -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
}

############################################################
# allows rsync only from a specific network                #
############################################################
function ipt_allow_rSync { #FIX
	$IPT -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
}

############################################################
# allow PING/ICMP                                          #
############################################################
function ipt_allow_PING {
	# allow certain inbound ICMP types (ping, traceroute..)
	$IPT -A INPUT -i $EXT_IF -p icmp --icmp-type destination-unreachable -j ACCEPT
	$IPT -A INPUT -i $EXT_IF -p icmp --icmp-type time-exceeded -j ACCEPT
	$IPT -A INPUT -i $EXT_IF -p icmp --icmp-type echo-reply -j ACCEPT
	$IPT -A INPUT -i $EXT_IF -p icmp --icmp-type echo-request -j ACCEPT
}

############################################################
# allow NIS                                                #
############################################################
function ipt_allow_NIS {
	$IPT -A INPUT -p tcp --dport 111 -j ACCEPT
	$IPT -A INPUT -p udp --dport 111 -j ACCEPT
	$IPT -A INPUT -p tcp --dport 853 -j ACCEPT
	$IPT -A INPUT -p udp --dport 853 -j ACCEPT
	$IPT -A INPUT -p tcp --dport 850 -j ACCEPT
	$IPT -A INPUT -p udp --dport 850 -j ACCEPT
}

############################################################
# allow SSH connections                                    #
############################################################
function ipt_allow_SSH {
	#Allow Incoming SSH only from a Sepcific Network
	$IPT -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPT -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
}

#SOME FIX
############################################################
# set up loadbalancing for HTTPS                           #
############################################################
function ipt_loadbalance_https {
	$IPT -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
	$IPT -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
	$IPT -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
}

#MAIN ###########################################

ipt_load_modules

